Tools to Audit Drupal Websites

A website audit can be done in two ways. Bear in mind that these two ways are complementary to each other not alternative.

Third-Party Tools

Most third-party tools are used for monitoring performance, query load time, profiling, number of function calls, JS load time, HTML best practices and mobile usability. Below are the third-party tools which I prefer for auditing Drupal websites.

New Relic

New Relic provides deep insights for Drupal websites, including database performance, modules monitoring, Apdex, function performance and front-end performance. It also provides Real User Monitoring (RUM), which gathers time information and shows you which hotspot in DOM (Document Object Model) rendering time may be causing your page to take several seconds to load.

XHProf

XHProfiling measures the relative performance of your application at the code level. It captures things like CPU usage, memory usage, time and number of calls per function, a call graph, etc. The act of profiling impacts performance.

YSlow

YSlow analyzes the webpage and suggests ways to improve page performance based on rules (Minimize HTTP Requests, Use a Content Delivery Network, Cache-Control Header, Gzip Components, Put Stylesheets at the Top, Put Scripts at the Bottom, Avoid CSS Expressions, Make JavaScript and CSS External, Minify JavaScript and CSS, Avoid Redirects and Remove Duplicate Scripts, etc). It also supports Smush.it and JSLint. YSlow can be configured in the system directly and is available for Firefox, Chrome, Mobile/Bookmarklet, Opera, Safari, Command Line (HAR), PhantomJS, Node.js Server and Source Code.

Other

Third-party websites monitor your site based on specified URLs and report what part of the sites can be improved. These part of the sites can be JS, third-party URLs, services URLs, or HTML markups for desktop users and mobile usability. Generally, third-party sites check the page load time.

GTMetrix: It actually scans your web page and returns the Page speed grade, YSlow grade and timeline of all files included on the page.

Contrib Modules

Being an open source, there are many modules available which also help us in auditing Drupal sites. These modules can be independent or use third-party services. For example, coder, xhprof, Dcq, Hacked, Security_Review and Drupalgeddon.

The Hacked module scans your site’s core/contrib modules/themes which have been modified originally and creates a patch. It also tells users exactly what has been changed. It is integrated with Drush as well.

Drupalgeddon (with an "L") checks for backdoors and other traces of known Drupal exploits of "Drupageddon" (no "L"), aka SA-CORE-2014-005 SQL injection. Drupalgeddon is not a module; it's a Drush command.